Many software applications require users to positively identify themselves before allowing access to private information. This could be so simple as logging on to a computer as a specific user, or providing credentials prior to accessing banking or other financial information. With the increase of information available over the internet or in a computerized form there has been a dramatic increase in identity theft, and theft of private or secured data to either use or offer for ransom by unauthenticated parties. To combat this trend, computer security systems have struggled to keep up, often requiring more extensive authentication protocols prior to allowing access to secure data. There may be multiple password challenges, the requirement to frequently change passwords, and a complexity level for passwords requiring numerous symbols, numbers, or capitalized letters, forming a lengthy string.
This trend toward complex, lengthy and robust authentication is juxtaposed against the market trending toward simplicity in the mobile workspace. Highly functional mobile devices that can access secure data (either on-device or remote) are ubiquitous, and the purpose behind such devices is immediate availability of information. They are purposefully small in size to allow for ease of mobility and placement in a purse or pocket. Users want instant access with a couple of touches to a touch screen or a swipe of a finger. They are easily frustrated with any requirement to input complex, lengthy passwords.
Organizations that have ported applications to the mobile space have attempted to impose ever more complex authentication mechanisms on mobile devices. However, complex passwords do not work well in the mobile workspace. Mobile application use is meant to be short and easy. Conventional passwords are incompatible on mobile devices due to form factor and ease-of-use requirements. These passwords can easily be mistyped working on a mobile device causing authentication errors and elongating the authentication process. Also, complex passwords often require a user to switch between multiple keyboards (letters, numbers, symbols). Users generally choose passwords that are simple and fast to enter on mobile keyboards, which results in very insecure passwords that are easily predicted by simple tools used by hackers.
While user-based authentication (e.g., provision of a password or proper response to a question, etc.) is limited and frustrating on mobile devices, there are ways to authenticate a user device without any direct input from the user. This “transparent authentication” is possible because of the numerous data gathering features of common mobile devices. As explained more fully below, these sensors detect a wide variety of data such as available wireless connections, the location of the device, the time of day, even the orientation of the device in a user's hand. Such “conditions,” which may be environmental or behavioral or both, are often repeated, such that user authentication can be performed based on the regularity of the environmental conditions at a given time.
Other inventions have suggested using this condition data of a mobile device to help reduce inputs and simplify a user's experience. For example, US Pub. 2009/0327888 suggests using certain condition data picked up through device sensors to predict what a user will want to enter into certain fields of a form, such as the user's address or other information. US Pub. 2014/0157390 uses similar information, including the device's GPS location, to bring forward files or information the user is likely to want in that location, such as financial information when the user enters his bank, etc. US 2015/0371026 discloses a system that authenticates a user based on sensors picking up a connection to certain commonly accessed Bluetooth devices. In this case, the device connected via Bluetooth may function to transfer secure and unsecure data in order to assist with the authentication. U.S. Pat. No. 8,621,583 suggests sensor-based authentication by transmitting condition data off device to a secure password repository on a remote device. This remote device (secure password repository) analyzes the data and brokers the authentication (in a client-server fashion) by releasing the user's password to the authentication destination (e.g., a website) if the conditions are accepted. However, systems such as these require the user's sensitive data to be stored off-device, often in unencrypted fashion, and ultimately subject the data to capture by transferring it between devices.
Client-server systems rely on a distributed architecture because they were designed to authenticate to remote systems and therefore the system is subject to a multitude of vulnerabilities related to client-server communications. While these systems focus on using environmental conditions detected by mobile device to automate and simplify processes, none of them do so in a secure manner to perform transparent authentication, and they generally require sensitive raw data be stored, transmitted, and analyzed on a remote destination in an unsecure fashion to complete the authentication process successfully. When the authenticating conditions are retrievable on a remote component of a system, the system can be operated by an unauthorized party that gains control of the remote destination or control of the mobile device itself. Prior art client-server authentication systems are flawed in that they do not securely authenticate the user of the device to the device itself prior to attempting to use the device to authenticate to remote destinations. An unauthorized party can also masquerade as the originating device, without having the device at all, in an attempt to brute force the conditions that are required for the remote password repository to release the credentials. The remote repository may succumb to attacks from the local area network or Internet.
Typically, remote server based authentication systems are designed with the goal of leveraging a mobile device to authenticate to additional services outside of that device. Such systems do not aim to improve the authentication experience on the mobile device itself which is a core issue plaguing mobile devices. A key first step is to authenticate the user to the device itself, and that step is often ignored completely.
Environmental and behavioral data can afford authentication stronger than any password and boost usability of the device by not soliciting the user. However, these prior art systems are, at best, insecure solutions to the authentication problem. They determine if a profile matches based on raw data points and do not create any form of encryption keys from the environmental or behavioral data. They use only a single or a small number of conditional factors, which creates weak authentication that is possible to be spoofed or duplicated by unauthorized third parties. They do not ensure the security of the underlying device prior to performing authentication, and therefore allow the authentication system to be subverted in the event of a device compromise resulting in the capture of sensitive authenticating information. What is needed is a system for transparent authentication on mobile devices that is fully secure and provides both a pleasant and seamless user experience while aggressively protecting against password capture or unauthorized access in the event that a mobile device is misplaced or captured.